Developer Says Apple Fix Blocks His In-app Purchase Hack

Apple has a work around for developers hoping to avoid lost revenue from a hack that sidesteps payments for in-app purchases on iOS devices, and the hacker behind the exploit said the fix really will block his scheme. The fix includes a temporary process for developers, and a more permanent solution that will be included in the upcoming release of iOS 6 for the iPhone, iPad and iPod touch.

The fix for now, according to Apple, is to follow the company’s best practices guidelines and to use receipt validation where developer’s servers verify through the App Store whether or not the receipt is legit.

By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out.

His hack allowed iOS users to make in-app purchases without paying by using his servers instead of Apple’s to process the transactions. By convincing users to install two specially crafted digital certificates on their iOS devices, he has been able to bypass Apple’s payment process.

The downside to the service is that app developers aren’t able to collect money they’re rightly owed when users steal their content. End users are also potentially susceptible to man-in-the-middle attacks where the developer behind the attack could potentially spoof any website URL with his own DNS servers, and he can collect identifying information about users that take advantage of his hack.

Apple’s first attempt to block the theft of in-app purchases failed, although it looks like — at least for now — the company has a system in place that will protect developer’s from in-app purchase theft.

The hack developer said he plans to leave the payment bypass system in place until iOS 6 is released, and is actively working on developing a similar hack for the Mac App Store.